No Time to Patch

Ever since Robert Morris (a 23-year-old doctoral student at Cornell University) unleashed a worm on the Internet in November 1988, there has been an ongoing arms race between network administrators and the digital bad guys. Malicious code is being developed at an ever-faster rate. Exploits are being automatically reverse-engineered from patches as they are distributed, so the window of vulnerability is larger than ever before. Randy Nash discusses the problems and offers some suggestions to reduce the time to patch.

Like this article? We recommend

Like this article? We recommend

Security personnel, network administrators, system owners, businesses, and government agencies continue to face growing security challenges. There is an ongoing arms race between malware developers and security professionals.

The result of this arms race is an ever-diminishing time to respond to new threats and protect our systems from compromise. This article discusses these trends and focuses on ways to streamline the patch process to minimize your exposure.

Trends in Malware

Viruses, Trojans, worms, and now bot-nets are constantly scanning the Internet, relentlessly searching for vulnerable systems. Once these systems have been compromised, they will be used for a variety of questionable and potentially illegal activities, including sending out SPAM, participating in widespread denial of service attacks, and scanning for even more vulnerable hosts.

In 1999, the Melissa virus infected thousands of computers at a rate that was previously unheard of. It was unique at the time because it spread via infected Microsoft Word documents. It also started a program that would email copies out to the first 50 people in Outlook address books.

A short time later (May 2000), the ILOVEYOU virus appeared, spreading to literally millions of computers around the world in a matter of hours. It used an infection vector similar to the Melissa virus, but added the capability to send usernames and passwords back to the author in the Philippines.

There have been multiple variants on these attacks, most notably the Anna Kournikova virus, which promised digital pictures of the attractive tennis star. The Anna Kournikova virus stirred up new fears of an automated tool to create these types of viruses. This would note the first use of a tool to create new variants of malicious code.

The Internet fell victim to a new threat from the Code Red worm in July 2001. Code Red raised the bar for infection speed, hitting more than 359,000 computers connected to the Internet in less than 14 hours. This became known as a "flash worm" and led to speculation that even faster infection methods would be developed.

The concept became known as a "Warhol Worm" (named for Andy Warhol, who talks about everyone having "15 minutes of fame"). The idea was that a Warhol Worm would be capable of infecting all vulnerable hosts on the Internet in approximately 15 minutes to an hour.

The Warhol Worm was realized in the form of the Witty Worm in March of 2004. This attack was unlike anything seen previously for one very important reason; it began to spread the day after the ISS vulnerability was publicized. This represents the shortest known interval between vulnerability disclosure and worm release!

Previous attacks had taken advantage of old, well-known vulnerabilities that should rightfully have been patched long before the attacks began.

With the Witty Worm, this trend began to change. Since that time, the window of exposure has grown larger as the time between vulnerability and exploit has shortened. This trend is becoming commonplace as the malware community has apparently found ways to reverse-engineer patches when they are released.